logo
DATABASE RESOURCES PRICING ABOUT US

creavea.com Cross Site Scripting vulnerability

Description

Open Bug Bounty ID: OBB-1157341 Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[creavea.com](<https://www.creavea.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **yassinehmimou2 ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAReklEQVR4nO3df0wTZ9wA8EfaYSlHQX5UBIyADoxhrDGG4YLOiVHDGKlMEVk30RFlxjnSIEPnXIcbIqJu6Bgxmqgx+5XFEGIMM9VsXcecYleRsVoZgwKFYUGKVQuW3vvH876Xvr3r9UAOkH0/f/E8vXue5567+vWea7+dQZIkAgAAAHjgM9kDAAAAMG1BjAEAAMAXiDEAAAD4AjEGAAAAXyDGAAAA4AvEGAAAAHyZujEmJibm1q1bnopgAsCcAwCe0hSNMbdv33Y6nS+++CJjEUwAmHMAwNPzEmPa29sDAgIYX7JarQcPHvRUfEq1tbUZGRmeimACjMucs1w/k9Us90t6bK3dv39/y5YtYWFhkZGRH3zwwZMnT8Y2zvHF04mgPHjw4P333583b56fn198fPyhQ4dGRkb46w48Q8Z+HzMwMFBaWuqp+JQgxky6/+Ccj8s1nJubOzw8rNfrr169Wl9fv3///nEZ2xS3detWk8l0+fJlk8lUVVVVV1en0+kme1BgShBO9gAYdHd3G43GFStWMBbBBIA5H5vHjx/rdDqDweDv748QOnr0aE5Ozjje34+ZUCiMi4vjqfHHjx/X1NRYLJbAwECEUGpqampqKk99gWcOp/uYL774IiYmJiQk5K233rJarQghq9UaHR1ts9lmzJhx9uxZ1+LRo0cDAgIOHz48e/bsWbNmbd68+fHjx7idGzduLFu2LCAgIDIy8o033vjrr78Yu6utrV29evVzzz3nVly3bt3hw4dx5a1bt2bOnIkHgxDavn377t272Td4/vnn2Xd3G8bIyMiePXtmz57t7++/YcOGvr4+vOBw8ODBsLCwOXPmnD59GiE0NDT0zjvvBAQEzJs37+OPP6aWCG7cuLF06VI/P7+wsLANGzZ0dXUhhDZu3PjZZ59RXSxduvTs2bOjaoF9hLj+4cOH27dvDwsLmzt37ieffDIyMoJHfuTIkZiYGH9//40bN/b19e3evTssLCwkJGTLli0PHz5kPAXcD9nTYBivH0+NMHbnqWXGZlnOiCuvl/RoZwzz8/Pr6OjAAQYh1NLSEhERgRDq6upas2aNv7///Pnzjx07NmvWLERbv2pvb8f13Cfnyy+/XLNmDdXChx9+uHnzZvqoEEKRkZE3b95kfMmTH3/8keMGTqcTISQUuv+HlfFqRwh1d3e/9tprAQEBMTExR44coY4aTEveY4zNZtPr9fX19devXzebzcXFxQihwMBAg8FAEITdblcoFK7FdevW2Wy269evNzQ0NDQ06HS68vJy3FR6enpubq7JZNJqtSkpKSKRiLFHTwtl6enparUaV168eNHpdNbV1eGiWq1OS0tj30Aul7Pv7jaM8vJytVqtVquNRmNERERzczOeDYPB0NTUdObMmZSUFIRQSUnJo0ePGhsb6+rqNBpNdXU13l2n023btq2np6epqSkqKmrnzp0IoaysrJqaGrxBd3e3Xq+Xy+WjasHrCBFCu3btMpvNOp2urq6utra2qqqKOo9arVav15vN5oULF1oslsbGxmvXrrW1te3du9fTKeB4yJ4Gw3j9sMwbvTtPJ4KxWZaWKVwu6dHOGN2dO3cKCwsrKioQQjt37pRIJAaD4fLly2fOnGHfkfvkyOVyjUbz4MED6qxlZmaG0XjtjlFubm5qaipjZLpx40Zqampubi4u+vv7p6WlZWdn//rrr66hl/Fqx7Ph6+vb0tKiVqvPnTs3tuGBZwbJqq2tDSE0ODiIi/X19bGxsdRLBEG4bomLeBeTyYTrL1y4sGTJEpIk+/v7hUKh3W6n92IymaKjo/HfNpuNIIj+/n560Ww2i8Vi3EJSUpJSqczJycE9SiSS4eFh9g1MJhP77m6jkkqlOp2OPhvU2LDQ0FCbzYb/1uv1SUlJ9ANsaWkJDw8nSfLRo0d4JCRJVlVVZWRkjLYF9hGSJOlwOAiCaG1txcXa2trk5GQ88oGBAVyp1Wp9fHwePXqEi/X19QsWLKBacJ1z7ofMOBiW64exEcbuPJ0IxmY9tcxlX9dLmuOMub0LKJ2dnbGxsd9++y1Jkg6HQyQSub4jgoKC6Pu2tbXh+lFNTnJy8g8//EC1ZrfbO2now+PCZrOVlpYGBwdnZWUZjUZcaTQas7KygoODS0tLqRGSJDk4OFhcXBwXFycUChcsWKBSqRwOB+PVjmeDuj6p2QDTlfcY4+ltwBJjRCIRVd/c3CyVSvHf2dnZMplMqVRWVFT89NNP1DYOh8NsNuO/L1y4sHLlSuolt6JMJrt69WpPT09UVNTAwIBUKnU4HKdOncrMzOSygdfdKQMDA0Kh0OFwsMwGSZL9/f0IodD/ExwcTB2sTqdbtWpVREQErqfmLTs7u7KykiTJVatWnT9/fgwtsIyQJEmz2ezr60sVjUZjeHg4y3mkF13nnOMhexqMp349HTW9Oy4nwnX8LPPpdV+3GMNlxjzFmOTkZHyWSZI0m81u7wj2GMN9ckiSLCsry83NJUnyxIkTWVlZ9JHQhbpgr8SDkcvlQqEQF4VCoVwup0Ivnd1ur6+vT05O3rdvH0m72kna9UnNBpiuJvSZ/zfffHPz5s2mpiaz2axUKl9++eXjx48jhAQCwZw5c/A27J8oS0tLU6vVra2t6enpgYGBMplMo9G4rnSxb+B1dzcCgYD9iOx2u4+PT0NDA7UY7ePzv8uPcrk8Ly+vurpaJBJ1dnauXbsW12dlZZ04cUKhUFy/fv3ChQs2m220LYxqhGPA/okylkPmPhiWRhjx1zIfuru7Gxsbf/vtt7HtPqpDyMzMxCuKFy9exItX9MWxe/fuuRb1ej29HcbKv//+e//+/RqNpqSkBNeUlJRUVFTs2LGjpKRk/vz59F1mzpy5dOnSyspKhUJx4MABt6vd80GD6Ys9BI3tPga5rJXV1NTgtTI3er0+KirKrdLhcISGhlL30W5FkiTr6+uTkpIyMjIuXbpEkmRVVdWuXbvCw8Op2yD2Dbzu7koqler1epbZwAiCoK8R9fb2Uv/1wwdLzZvdbg8ODv7888+pm6fRtsAyQtLzWhnH+xi3Oed+yIyDYemXsRHG7ryeCLfDYWyZy77jdR/jcDhcL1q3tbKamhq87+DgoI+PD7Vqp9VqxzA5JEkmJCSo1eqgoCDc1HitleXn5xMEoVQqLRaLa73FYikoKCAIIj8/n6p0XTcjSVKj0eAVSPrVjmejra0NF2GtbNobe4yx2WxCoZBaqKWKOMasX7++s7OzqalJJpOpVCqSJJubm9euXXv16lWLxWIymfLy8tLT06mW8WMSjUaTkJBAVboVMalUKpVK8fadnZ0SiUQmk3HfgP1V18dFpaWlSUlJjY2NnZ2dO3fu1Gg0jG/y/Pz85ORkfHNWXl5eUlJCdVRVVTUwMGA0GuVyuesbKScnRyKRfP/992NrgRokfYS4Pi8vLyMjw2QyNTU1LV68uLKyknuMcZtz7ofMOBiWfhkbYezO64lwOxzGlqlJ43hJc5yxwcFBoVBoMBjcVvPcnjvK5XLXdwTVVFJSUl5eXk9Pj9FoTElJGcPkkCS5f//+xMRE13fTuFAoFFQkoGtra1MoFPhvg8EglUpPnjxpNpsHBgbwJVRaWopfdbvaSZJcv369XC5va2trampKTEyEGDO9jT3GkCSpUqnEYvGZM2dci0eOHCEIoqysTCqVBgUFvf322/hJ6fDwsEqliouL8/X1lUqlCoWip6fHrZfCwsK9e/dS7bsVsZycnPXr11PFJUuWuG3DvgHLq24H63A4ioqKQkNDRSKRXC63WCyMb3K73V5QUBAVFSUWi9PS0qj/wGo0miVLlohEovDwcKVS6TpvNTU1BEFQD5BH1YLrGOgjxPU2m23btm2hoaFRUVH46Sv3GOM259wPmXEwLP0yNuLptoD9RLgdDr1l7jco1CXNfcaKi4td3wX0jUmS7OzsXL16tVgsjo2NraiooF5taWlZuXIlQRCLFi2qrKwcw+SQJImXuVwHMPEuXbq0YsUKiUQiFosTExNPnjxJveR2tZMk2dPTk56eThBEdHR0WVkZxJjpbQZJkuO7+Nbe3p6QkEB9nnJU4uPjz50799JLLzEWwQSAOedbe3u7TCa7f//+eDX48OHD0NBQs9n8LH7R5M6dO8uXL//3338neyCAL1Pre/537txhKYIJAHP+zLl8+XJKSsqzGGAQQnq9PjY2drJHAXg0RfMuTycjIyOHDh26e/cur7uA/yar1Yo/tTzZAxmFAwcOnD59+t69e7///vvevXvz8/Mne0SARxBjeCcQCJxOZ2FhIa+7gP8m6qnnZA9kFFasWFFVVRUVFaVQKHbt2uUp/w2YJrg8tKmsrIyNjfX19ZXJZPhTv+w8PZx8GvTnqPwpKCgQiUT0B79j5nA4Fi9efO3aNddKeuPl5eWxsbH4i9yMuzDiY7YBAGBceH8ec/z48aNHj546dSoxMVGtVisUipqammXLlk1A/JsUfX19lZWVOp0uISFBIBBYLJanb1MgEHjNSHjlypVPP/1Uq9XihXUuuwAAwBTnPcaUlZWdP3/+1VdfRQht2rSpt7e3vLx8GscYm80mFoup33+cOXPmBHTa0dGRnZ1dXV39wgsvTEB3AAAwMbw8j7FarWazGSerwJYvX44T37omP581a9abb77pml/dE3raeVzPmMceZ0QPCAiIj4//+uuvvTbOmASesUdPg+/r66MneEdMadXHlvud0dDQUGZmpkKh2LRpE8ddEIfU6wAAMOm8xBibzSYSiaifckEISSSSwcFB6tXGxkacI91kMnnNdo48pJ1HHvLY44zozc3Nly5dco0xnrKXMyaB99Qj4+BDQkLcEry7ToVbzvmnzP1O2bFjR0NDA/dP17hlVgcAgKmL/XEN/Xlya2sr9YVz5JIjXavVekr7T2FMpUXfDOex95QRnfSckYmeBN5TjxwH75aEzTWt+qiy5TPCjVdXV8fFxeXk5NBzP9MxZlaHZ/4AgCnLy/MYnFbdtcbpdFLpYAmCoH7ILyoqCuckZ9Hb2zs8PBwTE4OLCxcuxP9SI4T++OOPoqKi5ubm4eFhp9PpdDp7e3sRQnPnzqU2ptqJjIykN261Wvv7+xMTEzn2ONrBEwTh9jU3giDwj8viFiQSiZ+fHy5GRERw+bCA3W7HeW2DgoIWLFjw888/v/LKKyzbL1q0KD09vbW1leqXzjXtLk64S68BAICJ4SXG4FWjJ0+eUMtlg4ODEolk3MfBJY89hSV7OR+57vnjdDpPnToVHx+PECoqKlIqleyfJfOaWR0xJWlnTNsOAAATwMvzmMDAwIiICK1WS9VotdpFixaNrTOpVOrr6/vPP//gosFgiI6ORgjdu3fPbDZ/9NFH8+fPj4yMxL/BLJVKEUIdHR14Y6PRSLWjp8FDDQ4OvnXrFpcepwixWPz666/jvwsLC3t7e/Ev2HuyZ88eo9EolUplMtm7776LK+fNm+eaHS7ShacaAACYGN6/519cXLx169YrV6709fV99913KpWqqKiIS9ND/9/IyIhAIMjOzi4oKOjo6Pjzzz9VKlVOTg5CKCwsLDg4+KuvvrJarXfv3lWpVAghgUCwdu1apVLZ1dWFN6ZajqTB9QUFBdu2bbt9+3ZXV9d77733yy+/eOpxCvLz8yspKdm3bx97OtGQkJBjx441NTXZbDaqcmhoiP8BAgDA6HF5aMP4PX/233qid1RdXU0ypZ3HuzDmsccZ0QmCiIuLc82I7gljennGHkf7Q1X05+qj+vViRozP6mUyWXFxMfuOXNoBAICpYPxz+wMAAAAY5MQEAADAF4gxAAAA+AIxBgAAAF8gxgAAAOALxBgAAAB8gRgDAACALxBjAAAA8AViDAAAAL5AjAEAAMAXiDEAAAD4AjEGAAAAXyDGAAAA4AvEGAAAAHyBGAMAAIAvEGMAAADwBWIMAAAAvkCMAQAAwBeIMQAAAPgCMQYAAABf/geKVhSDm038RgAAAABJRU5ErkJggg==) --- **Screenshot:** ![creavea.com vulnerability](/twimages/screen-1157341.jpg) **Mirror:** [Click here to view the mirror](<http://1157341.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 7 May, 2020 15:28 GMT ---|--- Vulnerability Verified:| 7 May, 2020 15:38 GMT Website Operator Notified:| 7 May, 2020 15:38 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 7 May, 2020 15:38 GMT